U.S. Agency Issues Call for National Cybersecurity Standards

In the post-Stuxnet world, the prospect of undeclared cyberwar has been dragged out of the shadows to the front pages. With that in mind, yesterday the U.S. National Institute of Standards and Technology (NIST) kicked off an effort to establish a set of best practices for protecting the networks and computers that run the country’s critical infrastructure. The Cybersecurity Framework was initiated at the behest of President Barack Obama, who issued an executive order calling for a common core of standards and procedures aimed at keeping power plants and financial, transportation, and communication systems from falling prey to any of a wide range of cybersecurity threats.

The first step, says NIST, will be a formal Request for Information from infrastructure owners and operators, plus federal agencies, local government authorities, and other standards-setting organizations. NIST says it wants to know what has been effective in terms of keeping the wolves at bay. To that end, it will hold a series of workshops over the next few months where it will gather more input. The agency says that when the framework is completed in about a year, it should give organizations “a menu of management, operational, and technical security controls, including policies and processes” that will make them reasonably sure that their efforts represent an effective use of their time and resources.

Oddly, though, the press release announcing the development of the Cybersecurity Framework makes no mention that the final public version of a report titled, "Security and Privacy Controls for Federal Information Systems and Organizations" was released on 5 February and that the public comment period continues through 1 March.